ONEKEY Security Advisory Cisco Banner

Security Advisory: Remote Command Execution in Cisco Access Point WAP Products

Introduction

With the recent release of our binary zero-day identification feature, we wanted to demonstrate what it would look like, when applied in a variant analysis approach.

The research team spotted a Synacktiv blog post and immediately launched an analysis on Cisco WAP321 to see if we could find other vulnerabilities or simple variants of what was initially reported by them.

After a few minutes, the results were in. We identified 2 format string vulnerabilities, 160 stack buffer overflows, and 25 command injections. All of these paths are valid and unique but corresponds to a variation of the same vulnerability repeated over and over again.

For device manufacturers, having such capabilities will not only empower your PSIRT team to quickly assess bug reports but also enhance their ability to identify variations of reported bugs, thereby maximizing the impact of vulnerability fixes. Consequently, this will reduce the risk of cybercriminals, state-sponsored attackers, and opportunistic security researchers exploiting variations of reported and resolved issues.

Remote Command Execution

Affected vendor & productCisco Small Business 100, 300, and 500 Series Wireless APs
Vendor Advisoryhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-wap-multi-85G83CRB
Vulnerable versionALL
Fixed versionN/A
CVE IDsCVE-2024-20335
Impact (CVSS)CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CreditQ. Kaiser, ONEKEY Research Lab
Research supported by Certainity

Summary

The firmware version 1.3.0.7 of Cisco Access Point WAP371 is affected by a vulnerability allowing privileged and unprivileged users to execute commands on the system hosting the web service.

Impact

By successfully exploiting this vulnerability, remote authenticated attackers could gain remote command execution on the appliance with elevated privileges.

Description

One source of command injections is the use of unsanitized user input in tftp commands. Instead of reusing a unique TFTP handling function, this function is repeated for each and every feature needing TFTP.

For example, the pcap_download_handler feature will get the update.device.packet-capture.tftp-file-name parameter from the request:

And feed it right to the following command:

Similar behavior is observed for 16 of our reported issues, corresponding to 8 paths multiplied by 2 vulnerable parameters (the TFTP server parameter, and the fetched filename parameter).

Other examples of command injections include the Access Point management feature where authenticated users can define MAC address filtering. By injecting a command into the grantedMac request parameter, they could gain remote command execution:

Another one involves the setup wizard where a malicious user could gain remote command execution by injecting a payload in the wiz-manual-time-string request parameter holding the date setting of the access point:

Recommendation

This product being EOL, Cisco will not patch the vulnerability. If replacement of the EOL device is not possible, ensure access to the administration interface is restricted to administration network zones only, to reduce likelihood of exploitation.

Format String

Affected vendor & productCisco Small Business 100, 300, and 500 Series Wireless APs
Vendor AdvisoryTBA
Vulnerable versionALL
Fixed versionN/A
CVE IDsTBD
Impact (CVSS)CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CreditQ. Kaiser, ONEKEY Research Lab
Research supported by Certainity

Summary

The firmware version 1.3.0.7 of Cisco Access Point WAP371 is affected by a vulnerability allowing privileged and unprivileged users to execute commands on the system hosting the web service.

Impact

By successfully exploiting this vulnerability, remote authenticated attackers could gain arbitrary code execution on the appliance with elevated privileges.

Description

This is one of the funniest bugs of this device. The download.cgi allows authenticated users to pull logs from the device. Logs are either system logs pulled with the /splashbin/get log-entry > /tmp/logs.txt command or rogue access points logs created by the RogueAP agent and saved to /tmp/rogueap_knownlist_export.txt.

To provide the logs, the CGI script opens the log file and read it line by line. For each line it reads, it sends it back to the HTTP client by using printf. See where this is going ?

So, if you can poison the system logs with a format operator (e.g. %p, %x), or emit beacon frames in the vicinity of that device with an SSID holding a format operator, you can obtain read-write primitives through format strings when the administrator pulls the logs from the appliance.

Recommendation

This product being EOL, Cisco will not patch the vulnerability. If replacement of the EOL device is not possible, ensure access to the administration interface is restricted to administration network zones only, to reduce likelihood of exploitation.

Stack Buffer Overflow

Affected vendor & productCisco Small Business 100, 300, and 500 Series Wireless APs
Vendor Advisoryhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-wap-multi-85G83CRB
Vulnerable versionALL
Fixed versionN/A
CVE IDsCVE-2024-20336
Impact (CVSS)CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CreditQ. Kaiser, ONEKEY Research Lab
Research supported by Certainity

Summary

The firmware version 1.3.0.7 of Cisco Access Point WAP371 is affected by a vulnerability allowing privileged and unprivileged users to gain arbitrary code execution.

Impact

By successfully exploiting this vulnerability, remote authenticated attackers could gain remote command execution on the appliance with elevated privileges.

Description

All the stack buffer overflows that were detected are

Recommendation

This product being EOL, Cisco will not patch the vulnerability. If replacement of the EOL device is not possible, ensure access to the administration interface is restricted to administration network zones only, to reduce likelihood of exploitation.

Key Takeaways

Our recently introduced binary static analysis feature equips the Product Security Response Team with an invaluable tool for identifying vulnerability variants within product lines. Whether detecting bugs during internal reviews or responding to reports from security researchers, this automated solution will report on every combination of user controlled source to dangerous function call path for known patterns.

With this innovative feature, users gain the confidence that every variant of a specific bug has been identified, all without necessitating access to the source code. Auditors and reversers will find this automated binary static analysis akin to having a diligent intern spot and validate “low hanging fruit” vulnerabilities, allowing them to direct their focus towards more complex issues.

Timeline

  • 2024-01-25 –Report submitted to Cisco PSIRT, a case is opened.
  • 2024-01-29 –Case is picked up by analysts, investigation starts.
  • 2024-01-31 –Analysts mention the device is end-of-life but they still plan on releasing an advisory on March 6th.
  • 2024-03-06 –Coordinated advisory release.
  • 2024-03-06 –Release Cisco advisory.
  • 2024-03-18 –Release ONEKEY advisory.

About ONEKEY

ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.

The patent-pending, integrated Compliance Wizard™ already covers the upcoming EU Cyber Resilience Act (CRA) and existing requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.

The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.

Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.

 

CONTACT:

Sara Fortmann

Marketing Manager

sara.fortmann@onekey.com

 

euromarcom public relations GmbH

+49 611 973 150

team@euromarcom.de